This skill guides practitioners through hardening AWS Identity and Access Management configurations to enforce least privilege access across cloud accounts. It covers IAM policy scoping, permission boundaries, Access Analyzer integration, and credential rotation strategies to reduce the blast radius of compromised identities.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionsecuring-aws-iam-permissionsExecute the skills CLI command in your project's root directory to begin installation:
Fetches securing-aws-iam-permissions from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate securing-aws-iam-permissions. Access via /securing-aws-iam-permissions in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | securing-aws-iam-permissions |
| description | 'This skill guides practitioners through hardening AWS Identity and Access Management configurations to enforce least privilege access across cloud accounts. It covers IAM policy scoping, permission boundaries, Access Analyzer integration, and credential rotation strategies to reduce the blast radius of compromised identities. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - aws-iam - least-privilege - permission-boundaries - access-analyzer - cloud-identity |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for Azure AD or Google Cloud IAM configurations, application-level authorization logic, or federated identity provider setup (see managing-cloud-identity-with-okta).
Generate a comprehensive inventory of all IAM users, roles, groups, and attached policies using the AWS CLI and IAM credential reports. Identify accounts with console access, programmatic access keys, and their last-used timestamps.
# Generate IAM credential report
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d > iam-report.csv
# List all IAM roles and their attached policies
aws iam list-roles --query 'Roles[*].[RoleName,Arn,CreateDate]' --output table
# Find users with access keys older than 90 days
aws iam list-users --query 'Users[*].UserName' --output text | while read user; do
aws iam list-access-keys --user-name "$user" \
--query "AccessKeyMetadata[?CreateDate<='$(date -d '-90 days' +%Y-%m-%d)'].[UserName,AccessKeyId,Status,CreateDate]" \
--output table
done
Activate IAM Access Analyzer at the organization or account level to identify resources shared externally and generate least-privilege policy recommendations based on CloudTrail activity.
# Create an Access Analyzer for the account
aws accessanalyzer create-analyzer \
--analyzer-name account-analyzer \
--type ACCOUNT
# List active findings for external access
aws accessanalyzer list-findings \
--analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/account-analyzer \
--filter '{"status": {"eq": ["ACTIVE"]}}'
# Generate a policy based on CloudTrail activity for a specific role
aws accessanalyzer start-policy-generation \
--policy-generation-details '{
"principalArn": "arn:aws:iam::123456789012:role/AppRole",
"cloudTrailDetails": {
"trailArn": "arn:aws:cloudtrail:us-east-1:123456789012:trail/management-trail",
"startTime": "2025-01-01T00:00:00Z",
"endTime": "2025-03-01T00:00:00Z"
}
}'
Replace wildcard resource ARNs with specific resource identifiers. Add IAM policy conditions for MFA enforcement, source IP restrictions, and time-based access windows.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadSpecificBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::production-data-bucket",
"arn:aws:s3:::production-data-bucket/*"
],
"Condition": {
"Bool": {"aws:MultiFactorAuthPresent": "true"},
"IpAddress": {"aws:SourceIp": "10.0.0.0/8"},
"DateGreaterThan": {"aws:CurrentTime": "2025-01-01T00:00:00Z"}
}
}
]
}
Attach permission boundaries to IAM roles and users to define the maximum scope of permissions an entity can receive, preventing privilege escalation even if an administrator attaches an overly permissive policy.
# Create a permission boundary policy
aws iam create-policy \
--policy-name DeveloperPermissionBoundary \
--policy-document file://developer-boundary.json
# Attach the boundary to an IAM role
aws iam put-role-permissions-boundary \
--role-name DeveloperRole \
--permissions-boundary "arn:aws:iam::123456789012:policy/DeveloperPermissionBoundary"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCommonServices",
"Effect": "Allow",
"Action": [
"s3:*",
"dynamodb:*",
"lambda:*",
"logs:*",
"cloudwatch:*"
],
"Resource": "*"
},
{
"Sid": "DenyIAMChanges",
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:DeleteUser",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePermissionsBoundary"
],
"Resource": "*"
}
]
}
Require MFA for all human users accessing the AWS console and CLI. Migrate workloads from IAM user access keys to IAM roles with temporary credentials via STS AssumeRole.
# Enforce MFA via SCP at the organization level
aws organizations create-policy \
--name RequireMFA \
--type SERVICE_CONTROL_POLICY \
--content '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllExceptMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
}
}
]
}'
# Deactivate unused access keys
aws iam update-access-key --user-name old-user --access-key-id AKIAEXAMPLE --status Inactive
Deploy AWS Config rules and Security Hub controls to continuously evaluate IAM posture. Set up EventBridge rules to alert on high-risk IAM changes such as new root access key creation or policy modifications.
# Enable AWS Config rule for IAM password policy
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "iam-password-policy",
"Source": {
"Owner": "AWS",
"SourceIdentifier": "IAM_PASSWORD_POLICY"
},
"InputParameters": "{\"RequireUppercaseCharacters\":\"true\",\"RequireLowercaseCharacters\":\"true\",\"RequireSymbols\":\"true\",\"RequireNumbers\":\"true\",\"MinimumPasswordLength\":\"14\",\"MaxPasswordAge\":\"90\"}"
}'
# EventBridge rule to detect root account usage
aws events put-rule \
--name DetectRootUsage \
--event-pattern '{
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"userIdentity": {"type": ["Root"]}
}
}'
| Term | Definition |
|---|---|
| Least Privilege | Granting only the minimum permissions required for an identity to perform its function |
| Permission Boundary | An advanced IAM feature that sets the maximum permissions an entity can have, regardless of attached policies |
| IAM Access Analyzer | AWS service that uses automated reasoning to identify resources shared externally and generate least-privilege policies from CloudTrail activity |
| Service Control Policy (SCP) | Organization-level policy that sets permission guardrails across all accounts in an AWS Organization |
| Assume Role | STS operation that returns temporary security credentials for cross-account or service-to-service access |
| Credential Report | AWS-generated CSV listing all IAM users, their access keys, MFA status, and last activity timestamps |
| Policy Condition | Constraints in IAM policies that restrict when and how permissions apply, such as MFA requirements or IP ranges |
| Identity Federation | Allowing external identity providers to grant temporary AWS access without creating IAM users |
Context: A startup attached the AWS-managed AdministratorAccess policy to all developer roles for speed during early development. A security audit reveals 15 roles with full account access while developers only use S3, Lambda, and DynamoDB.
Approach:
Pitfalls: Replacing policies without a parallel testing period causes service disruptions. Forgetting to scope Lambda:InvokeFunction to specific function ARNs leaves lateral movement paths open.
Context: An access key is found in a public GitHub repository. The key belongs to an IAM user with S3 and EC2 permissions across three AWS accounts.
Approach:
aws iam update-access-key --status InactivePitfalls: Deleting the key before deactivating it prevents forensic analysis of which services relied on it. Failing to check all three accounts for unauthorized activity leaves potential backdoors undetected.
IAM Security Assessment Report
==============================
Account ID: 123456789012
Assessment Date: 2025-02-23
Analyzer: IAM Access Analyzer + Prowler v4.3
CRITICAL FINDINGS:
[C-001] Root account has active access keys
- Resource: arn:aws:iam::123456789012:root
- Remediation: Delete root access keys, enable MFA on root
- CIS Benchmark: 1.4 (Ensure no root account access key exists)
[C-002] IAM user 'deploy-bot' has AdministratorAccess with no MFA
- Resource: arn:aws:iam::123456789012:user/deploy-bot
- Last Activity: 2025-02-20
- Remediation: Replace with IAM role, enforce MFA condition
HIGH FINDINGS:
[H-001] 3 IAM policies use wildcard Resource "*" with sensitive actions
- Policies: DevPolicy, CIPolicy, LegacyAdminPolicy
- Remediation: Scope resources to specific ARNs using Access Analyzer
[H-002] 7 access keys older than 90 days detected
- Users: svc-backup, svc-monitoring, dev-alice, dev-bob, ...
- Remediation: Rotate keys, migrate to role-based access
SUMMARY:
Total Findings: 14
Critical: 2 | High: 4 | Medium: 5 | Low: 3
Compliance Score: 62% (CIS AWS Foundations Benchmark v3.0)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Keeps context tight: securing-aws-iam-permissions is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend securing-aws-iam-permissions for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for securing-aws-iam-permissions matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: securing-aws-iam-permissions is focused, and the summary matches what you get after install.
Registry listing for securing-aws-iam-permissions matched our evaluation — installs cleanly and behaves as described in the markdown.
securing-aws-iam-permissions has been reliable in day-to-day use. Documentation quality is above average for community skills.
securing-aws-iam-permissions fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
securing-aws-iam-permissions fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
We added securing-aws-iam-permissions from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Useful defaults in securing-aws-iam-permissions — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 59